ACS command authorization report in conf t mode

Similar Messages

• Cisco ACS command authorization sets

  I need help on the following please.
  1. - I am using ACS as TACACS server to control IOS authorization on all our Switches, However I can not deny telnet sessions to other devices from within CatOS - does anyone know the command authorization set to deny this within ACS ????
  2. Does anyone know where I can read up on command authorizations sets for ACS ??
  3. What is the debug command for CatOS to see cli output ?
  Many thanks
  Rod

  Thanks for your info. I have solved my problem -
  1. I enabled tacacs administration logging using command on switch aaa authorization commands 15 default group tacacs+
  This let me see what what happening everytime I entered a command on CatOS - via the logging monitor on ACS. From here i was able to see that when i was trying to telnet to a device from CatOS it was doing it on Privilage mode 1. I then entered this command aaa authorization commands 1 default group tacacs+ which solved my telnet problem.
  Problem resolved.
  Many thanks.

• ACS command Authorization on PIX Console

  I have configured the pix firewall for ACS authentication and command authorization, everything is working fine
  aaa-server TACACS+ protocol tacacs+
  aaa-server TACACS+ (inside) host 172.28.x.x x.x.x
  aaa-server TACACS+ (inside) host 172.28.x. xx
  aaa authentication ssh console TACACS+ LOCAL
  aaa authentication serial console LOCAL
  aaa authentication enable console TACACS+ LOCAL
  aaa authorization command TACACS+
  aaa accounting command privilege 15 TACACS+
  aaa accounting enable console TACACS+
  but porblem is that i dont wana have ACS authentication while connecting with console. In case of emergency when
  ACS down, i wana to get console and access the device by using local username and password
  but now after this configuration when i try to access the firewall via console, i m getting error of
  command authorization fail.
  I dont wana have any command authorization while connected with console, Please tell me how to resolve this issue
  I have made the command authorization set in ACS and it is working fine for me,

  kindly once again check my modified configuration,
  I wanted to use this option in case, ACS goes down and i can console my firewall and but it is not working fine me.
  aa-server TACACS+ protocol tacacs+
  aaa-server TACACS+ (edn) host 172.28.31.132
  aaa-server TACACS+ (edn) host 172.28.31.133
  aaa authentication ssh console TACACS+ LOCAL
  aaa authentication enable console TACACS+ LOCAL
  aaa authentication serial console LOCAL
  aaa authentication http console LOCAL
  aaa authorization command TACACS+ LOCAL
  aaa accounting command privilege 15 TACACS+
  aaa accounting enable console TACACS+
  but i m not able to login i m getting following eror
  Command authorization failed
  TDC-INT-525-01> exit
  Command authorization failed
  TDC-INT-525-01> exit
  Command authorization failed
  TDC-INT-525-01> enable
  Command authorization failed
  i also defined the local command authorization set like this
  privilege cmd level 15 mode exec command exit
  privilege show level 5 mode exec command running-config
  privilege show level 15 mode exec command version
  privilege show level 0 mode exec command access-list
  privilege show level 0 mode configure command access-list
  privilege cmd level 15 mode configure command exit
  privilege cmd level 15 mode configure command no
  privilege cmd level 0 mode configure command access-list
  privilege cmd level 15 mode interface command exit
  privilege cmd level 15 mode subinterface command exit
  privilege cmd level 15 mode dynupd-method command exit
  privilege cmd level 15 mode trange command exit
  privilege cmd level 15 mode route-map command exit
  privilege cmd level 15 mode router command exit
  privilege cmd level 15 mode ldap command exit
  privilege cmd level 15 mode aaa-server-host command exit
  privilege cmd level 15 mode aaa-server-group command exit
  privilege cmd level 15 mode context command exit
  privilege cmd level 15 mode group-policy command exit
  privilege cmd level 15 mode username command exit
  privilege cmd level 15 mode tunnel-group-general command exit
  privilege cmd level 15 mode tunnel-group-ipsec command exit
  privilege cmd level 15 mode tunnel-group-ppp command exit
  privilege cmd level 15 mode mpf-class-map command exit
  privilege cmd level 15 mode mpf-policy-map command exit
  privilege cmd level 15 mode mpf-policy-map-class command exit
  privilege cmd level 15 mode mpf-policy-map-class command exit
  privilege cmd level 15 mode mpf-policy-map-param command exit
  Please tell me how to solve this problem

• ACS command authorization - deny CatOS "set" commands

  Cisco Secure ACS 4.2
  I have a network support group that i just want to deny them the ability to use IOS and CatOS configuration commands.
  I noticed that the Per Group Command Authorization is applicable to only IOS-based commands. I applied it to deny "configure", but permit everything else.
  How do I go about setting this group up to deny set-based commands for the CatOS devices?

  Hi
  CatOS does TACACS+ right? Pretty sure it does. If it has a "shell/exec" service like IOS then ACS wont really care whether the command authorisation is IOS or CatOS - it doesnt have any specific command set knowledge. ie it uses string comparisons between what the device is requesting and what is permitted.
  However, if the command authorisations are totally different (between IOS and catos devices) you might need to place them into separate NDGs so that you can map an IOS NDG to an IOS device command set and vice versa.
  Hope that makes sense!

• Problem - acs command authorization and web access control

  Hi, I'm trying to add the control of some aironet 1310 bridges with a ACS 3.2 (tacacs+). I wanted to be able to do telnet command authorization restrictions trough shell command authorization sets and be able to give similar restrictive web access at the same time. I have it working if I permit some commands that are sent by the browser as "write memory quiet" and few other ones, but for it to work, I must give them limited users the privilege level 15 and by having the tacacs server authorizing the commands, it work for both, http and telnet. Where my problem begin is when I loose the connection with the ACS server, the user being already authenticated as level 15 user, the device become open to all commands; there is no more restriction applied by the ACS. Do anybody now a workaround.

  It is already at local, that is just that the user already have a level 15 access and I used to control the commands through level settings before. So when I try it, my user that is localy level 5 is already recognized as a level 15 user from when it was authenticated through the ACS. If I could find a way to give web access to the 1310 at priv level 5 and still controlling the command set, it would be ok but as soon as I try to access a page that is not permitted other way than by the view level (i think it's level 1... or 0), I get a username password prompt with that line on the top of it:"level_15_or_view_access" and the only way I can access it is by entering a level 15 un/pass. I attached my 1310 aaa config
  and here are the command set that work at level 15 to do a "shut" or "no shut" of the radio interface by the web interface:
  configure
  permit terminal
  exit
  permit Unmatched Args
  interface
  permit Dot11Radio0
  no
  permit shutdown
  permit cca
  ping
  permit Unmatched Args
  show
  permit Unmatched Args
  shutdown
  permit Unmatched Args
  telnet
  permit Unmatched Args
  write
  permit memory quiet
  Thanks for the help !

• Nexus 5500 - unexplainable mutual-exclusion error when using "conf sync" mode

  We have 2 Nexus 5548UP switches which are running NX-OS 7.0(5)N1(1).
  I'm trying to reconfigure an interface, which was previously configured in conf t (local) mode on both switches, in conf sync mode.
  Original config:
  conf t:
  interface Ethernet104/1/33
  inherit port-profile DevServers
  I've changed the configuration so that the vlan was manually configured and the port-profile was removed from the interface. Otherwise, it was not possible to configure a Port-profile inheritance in conf sync mode (as this was in conflict with the config in local mode).
  Current config:
  conf t:
  interface Ethernet104/1/33
  switchport access vlan 13
  However, when I try to configure a PP inheritance for this interface in conf sync mode, I'm getting the same error as if there were a conflict:
  conf sync:
  interface Ethernet104/1/33
  inherit port-profile DevServers
  commit
  Failed: Verify Failed
  Status: Verify Failure
  Error(s):
  Following commands failed mutual-exclusion checks:
  interface Ethernet104/1/33
          inherit port-profile DevServers
  When I configure another interface (not in use) with exactly the same configuration (so access vlan 13 in conft mode on both switches, and then a PP inheritance in conf sync mode), it is accepted and the configuration is correct. It looks like something is stuck within the NX-OS switch which makes it believe that the PP inheritance is still configured in conf t mode...
  I've had this issue before on another interface, and found somewhere on the internet that the NX-OS keeps an internal database, which is mysteriously not always in sync with the current running-config, and that this could be forece manually with the command "resync-database" in conf-sync mode. On that other interface, this resolved the issue, but this time, it does not work and I keep getting the above error when I want to configure the port-profile.
  Any suggestions?

  Ok... I found the source of the problem (looks to be buggy behaviour).
  Here's my recent blog post that covers a detailed description and a fix/workaround:
  http://nexp.com.ua/technologies/nx-os/troubleshooting-nx-os-config-sync/
  Hope this will help anyone.

• ACS - Shell Command Authorization Sets

  Hi,
  I have had a problem where a set of users in two groups in ACS are struggling entering commands.  The commands are set in the Shell Command Authorization Sets and this hasnt changed.  Other commands are working.  As this is spanning two groups in ACS I am thinking it's not something with the groups but the command sets itself.
  Just to check, the commands are 'clear port-security' and clear mac address-table' - I have entered in Command 'clear' and the following attributes;
  permit port-security
  permit mac address-table'
  I've also ticked 'Permit unmatched args'
  At the same time as this is occuring I have been recieving the following messages from the ACS server via email;
  Test Timed out for service: CSAdmin
  Test Timed out for service: CSAuth
  Test Timed out for service: CSDbSync
  Test Timed out for service: CSLog
  I have looked at other posts and have restarted CSMon.  This then stops the messages for some time, then a day or so later I get the messages again.
  Could this be tied in with the command issue?  Is there something else I should look at other than restarting the server and the CSMon service again?  All other CS' services are running.
  Thanks!!
  Steve

  Thanks for your reply!
  there are no errors, the switch ios is putting the asterics as it does when you enter a command that is not recognised, i.e. for clear port-security the port-security onwards is not recognised.  On this note, the user is entered into priviledge mode and not in configure terminal mode, just base priviledge mode.  The group in ACS is set to max priviledge level 7 and have also set this on the user account in addition.
  I am using ACS v 4.1.
  While I receive the service messages and also when they go away - I always have the authorisation problem.
  Thanks
  Steve

• ACS 3.3 Config Command Authorization

  Hi,
  I want to allow an user only to add/remove routes on a router. The shell command authorization works fine. But when the user is in config mode, he can start any command!
  The debug says:
  1w2d: AAA/AUTHOR: config command authorization not enabled
  How can I enable this and how/where can I configure it on the ACS?
  Thanks in advance

  On ACs just allow the user to enter the "route" command like you have any other shell command they're allowed to do.
  On the router/NAS, you have to tell it specifically that you want authorization for config commands with the following:
  aaa authorization config-commands
  Note that the format of this command changes slightly on different IOS versions, but if you do "aaa authorization ?" you'll be able to figure it out.

• ACS Shell Command Authorization Set + restricted Access

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin-top:0in;
  mso-para-margin-right:0in;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0in;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  Hi  ,
  I have tried to Create a restricted Access  Shell Command Authorization Set on  ACS as told on the Cisco Url
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
  After I applied the same on a User  Group I found the users on the group have complete access after typing the conf  t  on the equipments . My ultimate aim was restrict the access only at Interface level , Attached is the config details . Could anyone has come across such scenario . Please check my config and   let me know any thing need to be done specially from My Side
  Thanks in Advance
  Regards
  Vineeth

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin-top:0in;
  mso-para-margin-right:0in;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0in;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  Hi Jatin ,
  first of all Thank you very much . It startted working after aaa authorization config-commands
  here I was trying to achive one  specfic  thing .
  I want to stop  the following commands  on ACS “switchport trunk allowed vlan 103” . I only want allow “add”  after “vlan” and block rest all arguments
  But even after setting the filter on ACS Still we are able to execute the command is there anything like we cannot control the commands after the sub commands
  Also I am attaching the filter list along with this. Could you have look on this and let me know whether I have configured something wrongly. Other than this is there any work around is available to achieve this .
  Thanks and Regards
  Vineeth

• ACS Shell Command Authorizations Set

  I have Cisco ACS Server V4.0
  In the shell Command Authorization Set I configure a restrict Access.
  In the privilege mode the restriction of the commands works good, but when I enter in the config prompt the restriction don't works. In this promt I can enter all commands.
  Why This?

  I have the same error with ACS Server 4.2. I can restrict in privilege mode but global config is wide open. Also any command i block in privilege mode can still be executed in global config using the "do" command. How do i block that, or find out what commands the router is sending to the ACS.

• ACS 5.3 Showing Clear Text Password in Authorization reports

  Hello,
  When a tacacs user is changing the local password on the router (for local user), the acs 5.3 is showing the new password in clear text in authorization reports/logs.
  This behaviour is seen on acs 5.x, whereas acs 4.2 is showing encrypted password in the reports.
  I have checked debugs on Router and it is sending password in clear text in Tacacs Authorization packet but encrypted password in Tacacs Accounting logs.
  Debug tacacs accounting
  debug aaa accounting
  4w3d: TPLUS: Received accounting response with status PASS
  4w3d: TPLUS: Queuing AAA Accounting request 208 for processing
  4w3d: TPLUS: processing accounting request id 208
  4w3d: TPLUS: Sending AV task_id=459
  4w3d: TPLUS: Sending AV timezone=UTC
  4w3d: TPLUS: Sending AV service=shell
  4w3d: TPLUS: Sending AV priv-lvl=15
  4w3d: TPLUS: Sending AV cmd=username sansehga privilege 15 password *****
  4w3d: TPLUS: Accounting request created for 208(sanjay)
  debug tacas authorization
  debug aaa authorization
  4w3d: AAA/MEMORY: create_user (0x851611DC) user='sanjay' ruser='R1' ds0=0
  port='tty7' rem_addr='10.76.212.159' authen_type=ASCII service=NONE priv=15
  initial_task_id='0', vrf= (id=0)
  4w3d: tty7 AAA/AUTHOR/CMD(1390711548): Port='tty7' list='' service=CMD
  4w3d: AAA/AUTHOR/CMD: tty7(1390711548) user='sanjay'
  4w3d: tty7 AAA/AUTHOR/CMD(1390711548): send AV service=shell
  4w3d: tty7 AAA/AUTHOR/CMD(1390711548): send AV cmd=username
  4w3d: tty7 AAA/AUTHOR/CMD(1390711548): send AV cmd-arg=sansehga
  4w3d: tty7 AAA/AUTHOR/CMD(1390711548): send AV cmd-arg=privilege
  4w3d: tty7 AAA/AUTHOR/CMD(1390711548): send AV cmd-arg=15
  4w3d: tty7 AAA/AUTHOR/CMD(1390711548): send AV cmd-arg=password
  4w3d: tty7 AAA/AUTHOR/CMD(1390711548): send AV cmd-arg=sehgal
  4w3d: tty7 AAA/AUTHOR/CMD(1390711548): send AV cmd-arg=<cr>
  4w3d: tty7 AAA/AUTHOR/CMD(1390711548): found list "default"
  4w3d: tty7 AAA/AUTHOR/CMD(1390711548): Method=tacacs+ (tacacs+)
  4w3d: AAA/AUTHOR/TAC+: (1390711548): user=sanjay
  4w3d: AAA/AUTHOR/TAC+: (1390711548): send AV service=shell
  4w3d: AAA/AUTHOR/TAC+: (1390711548): send AV cmd=username
  4w3d: AAA/AUTHOR/TAC+: (1390711548): send AV cmd-arg=sansehga
  4w3d: AAA/AUTHOR/TAC+: (1390711548): send AV cmd-arg=privilege
  4w3d: AAA/AUTHOR/TAC+: (1390711548): send AV cmd-arg=15
  4w3d: AAA/AUTHOR/TAC+: (1390711548): send AV cmd-arg=password
  4w3d: AAA/AUTHOR/TAC+: (1390711548): send AV cmd-arg=sehgal
  4w3d: AAA/AUTHOR/TAC+: (1390711548): send AV cmd-arg=<cr>
  4w3d: AAA/AUTHOR (1390711548): Post authorization status = PASS_ADD
  Please share if someone has found the fix to this problem.
  Regards,
  Akhtar

  Thanks Tarik,
  But it seems it did not help overall
  Akhtar: Cisco needs long time to fix bugs unless it is P1 or P2 bug. Otherwise they'll do it at their leisure.
  If you are not on latest patch already then upgrade. If you are already on the latest patch then wait for the next one. If your bug is not mentioned to be fixed on the resolved caveats don't panic. I've seen many bugs fixed but not mentioned in the release notes. What you need to do is to contact TAC so they contact the BU for your behalf to confirm if the bug is resolved or not.
  Regards,
  Amjad

• Cisco Secure ACS 4.2 - Group Setup w/Shell Command Authorization Sets

  Hello All,
  I am trying to create a user so that I can provide him only to run commands that I have designated them to run within my "Shell Command Authorization Set". This seems to work great, however I cannot find anywhere I can "hide" commands they do not have access to. For instance, once the user is logged into the switch they can do a show ? and get a list of commands. I would like to know if there is an option to only display commands the user has access to in ACS.
  My Steps:
  Created a user in ACS
  Shared Profile Components
  Create Shell command Autorization Set - "ReadOnly"
  Unmatched Commands - Deny
  Unchecked - Permit Unmatched Arg
  Commands Added
  permit interface
  permit vlan
  permit snmp contact
  permit power inline
  permit version
  permit switch
  permit controllers utilization
  permit env all
  permit snmp location
  permit ip http server status
  permit logging
  Created a group - "GroupTest" with the following
  Confirgured - Network Access Restrictions (NAR)
  Max Sessions - Unlimited
  Enable Options - No Enable Privilege
  TACACS+ Settings
  Shell (exec)
  Priviledge level is check with 1 as the assigned level
  Shell Command Authorization Set
  "ReadOnly" - Assign a Shell Command Authorization Set for any network device
  I have configured following on my Router/Switch
  aaa authorization config-commands
  aaa authorization commands 1 default group tacacs+ if-authenticated
  privilege exec level 1 show log
  I have attached below the documention I have gone over.
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/GrpMgt.html#wp478624

  "you are testing with privilege level 15 or below 15. Because when you are using below 15 level user, first it will check local command authorization set. For example if you want to execute sh runn command with level 5 user, first it will check local command set. If the sh runn command exits in local command set then it will send request to ACS. If it is not in the command set, it won't send request to ACS. That's why you don't see debug. For 15 level users it will directly send request to ACS. Configure command set locally and try it should work.
  Correct me if I am wrong."
  Regards
  Vamsi

• Command Authorization Config best practice using ACS

  Hi
  Is there any best practices for configuring Command authorization (for router/switch/asa) in CS-ACS? To be specific, is there any best practices to configure authorization for a set of commands allowed for L1,L2,L3 support levels?
  Regards
  V Vinodh.

  Vinodh,
  The main thing here is to ensure that we have backup/fall-back method configured for command authorization, inorder to avoid lockout situation or do wr mem once you are sure configs are working fine.
  Please check this link,
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
  Regards,
  ~JG
  Do rate helpful posts

• Command Authorization in ACS

  Hi,
  Can anybody tell me how can I permit only ping command to a group in ACS. What is the actual statement that I want to add in command authorization sets.

  Hi Prem,
  Can you let me know how can i restrict a group from adding a route. I have the following configured on the ACS under shell authorization
  configure ......permit terminal
  interface ......permit fastethernet (permit Unmatched arg)
  show............permit vlan
  switchport......permit access &
  permit vlan
  With the above configuration iam still able to add a route to the config
  Also i would like to know the wildcard to be used for enabling all the fastethernet or Ge ports
  thanks in advance
  Narayan

• Command Authorization in ACS 5.0

  Hi,
  Can anybody route me to configuration example for command authorization in routers or switches or firewall for ACS 5.0.
  OR
  USER-A should be placed in privilege level 2 and given access to all debug commands and the undebug all command.
  Assigned specified commands to level 2
  privilege exec level 2 undebug all
  privilege exec all level 2 debug
  The commands what i applied on routers are above.How i can set a privilege level of 2 on user in ACS 5.0.??????
  Also if i want to do shell command authorization set,how can i do it in ACS 5.0
       Thanks,

  You need to create a shell profile to assign the desired privilege level, and a command set to authorize specific commands, then associate those two with the authorization policy that applies to those users.